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Management summary 

This publication contains a short narrative. The narrative asks 
the question “Do you remember the time v/hen compliance 
was a burden?” 

Instead of futilely complaining about everything that makes 
our life complex and troublesome, we start by describing a 
future situation in which this question is fully legitimate. 

This leads to an intriguing perspective of what is needed to 
become an “entrepreneur of meaning” in the GRC space. We 
describe an actionable framework and the underlying 
principles that allow you to break the vicious spiral in which 
you are caught. 

The result is a GRC intelligence position in which you and your 
engaged workforce are able to face the pace of regulatory 
change, smash bottom-line costs, increase top-line revenue 
and profitability and - most importantly - restore trust. And 
your compliance issues? They will be over, because you are 
compliant by design. 

The narrative is purposely kept very basic, and presents the 
overall view of a GRC framework without going into too much 
detail. For a more in-depth understanding and elaboration, 
the reader may go to the book that John Coyne and I have 
written: ‘Playing Jazz in the GRC Club; the 'Future Perfect' of 
Governance, Risk and Compliance’. 

The books starts with the content of this narrative and takes 
then the presented innovative perspective of GRC to a broader 
and deeper level. 

For more information, see: www.beinformed.com. 


Thei Geurts 
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A new perspective 


How to notice the 
difference 


Vicious compliance 
spiral 


Introduction 

There is a wonderful construct in solution-focused therapy 
called “future perfect”. In a business environment, we often 
refer to it as “the dot on the horizon” or the “to-be” 
situation. Its main function is to take a step back and look at 
your situation from a higher, analytical and objective 
perspective. This is inherently connected to achieving a 
deeper understanding of the real causes of your current 
problems. It enables you to develop a transition path to the 
new future. If we take that approach and apply it to the 
governance, risk fit compliance (GRC) domain, something 
interesting happens: a new perspective on GRC emerges. 

So we should not complain about the gap between strategy 
and execution, non-authorized decisions or backward-mirror- 
oriented checks and controls. At this stage, we should also not 
elaborate on regulatory complexity, managing credit, 
knowledge, legal and other risks, the increasing cost of 
compliance or how to address integrity issues, but focus on 
the “future perfect” of your GRC environment. Then we might 
have another kind of conversation. 

Suppose you were a C-level representative of a highly 
regulated industry, e.g. of a financial institution, and I were 
to ask you, “What would happen if you awoke tomorrow and 
all your compliance problems had vanished? How would you 
notice the difference?” What would your answer be? 


Break the vicious spiral 

You would understandably perhaps need to make up your mind 
first, and probably buy some time with remarks like, “An 
intriguing question. We indeed mostly focus on all the 
elements that are holding us back.” 

You might continue with, “We are stuck in a vicious 
compliance spiral. I will try to answer your question and 
explain how we broke that spiral. But before I answer, allow 
me to explain what I mean by governance, risk & compliance 
and how I position my compliance issues.” 
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Understanding decisions 


Figure 1: The vicious spiral 



More rigidness 


Source: based on the Crozier bureaucracy spiral 

Then you would probably say, “There is an OCEG definition 
that reads as follows: GRC is ‘the capability to reliably achieve 
objectives (governance fit performance) while addressing 
uncertainty (risk management) and acting with integrity 
(compliance).’” 

You might continue by stating, “For me, there is an important 
strategic component in GRC, dealing with business objectives 
and performance, balancing investments according to our 
desired direction and desired results, setting decision rights 
and resulting policies.” You refer to leading analysts who 
claim that understanding and articulating which decisions 
must be made, by whom, how and when, and ensuring that 
policies are aligned with legal requirements and business 
objectives, are all key parts of the decision-making aspect of 
governance (Short fit Caldwell, 2012). 

“However,” you say, “GRC also involves setting risk tolerances 
for external and internal risks and being capable of dealing in 
time with unexpected events. This requires that processes and 
procedures be in accordance with policies and within the 
tolerances to support decisions. That covers the risk 
management aspect. Finally, the compliance and assurance 
aspect of GRC is about establishing measures to monitor 
adherence to policies and decisions.” 
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It all boils down to trust 


Knowledge-based trust 


“So,” you conclude, “solving compliance problems is not an 
isolated issue, but a systemic one. It is only possible if I take 
the whole GRC ecosystem into account.” I would probably nod 
affirmatively and then continue with my question. “Fine, and 
what would happen if you awoke tomorrow and all your 
compliance problems had vanished? How would you notice the 
difference?” 


Trust drives your “future perfect” 

“Okay,” you say. “I would almost certainly see a flourishing 
profitable business, with a strong performance, solid growth, 
great elasticity, engaged employees, and we would all enjoy 
our work. But do you want to know how exactly I would notice 
the change that took place?” 

“My answer is that, in my ‘future perfect,’ I would notice that 
we had restored the confidence of society and the government 
that we have lost in this present crisis of values. In the end, it 
all boils down to trust, doesn’t it? Ultimately, our profitability 
depends on it.” 

“Yes. That makes sense,” would be my reaction. My next 
question would then be: “So how would you notice that trust 
had been restored, and how would you be able to foster and 
maintain that trust?” 

You would probably give two examples. “First, the 
government has reduced our regulatory burden in the sense 
that we are certified to act in a higher division of trust,” you 
tell me. “Initially, we were forced to act like we were under a 
contract. Many checks, controls and reports were required and 
we had a lot to explain and prove. Now we have reached a 
knowledge-based trust level (Kramer & Tyler, 1996) in which 
our organization and our contracted partners are proven 
compliant.” 

“Regulatory agencies audit and have approved the way we 
organize our GRC processes. They have real-time access to our 
knowledge base, in which we maintain the life cycle of 
regulations, risk tolerances, policies and controls.” You smile 
and add, “Naturally, they do not see the organizational 
strategy, goals, objectives and internal metrics that we have 
seamlessly connected to these rules.” 
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Figure 2: The trust growth path facing regulators 

■ 



Stable Stable Stable Regulator 

calculus-based knowledge-based identification-based 

trust trust trust 


Source: Kramer & Tyler. Trust in Organisations, 1996 


Real-time oversight “On the other hand, regulatory agencies may have real-time 

oversight of the way we have executed controls in our 
transactions, using the shielded access and standard reporting 
and notification features we provide. In more and more cases, 
we even have an open invitation to act at the highest level of 
trust. We are partnering in defining new regulations, shaping 
the way that fits our industry and discussing the results of our 
impact assessments before government decisions become 
active.” 

You are a regulator Secondly, you provide me with an example that clarifies how 
yourself you are now able to maintain that trust in a highly cost- 
effective way. You tell me that at some point in time you 
realized that you are, in essence, a regulator yourself. “The 
same level of trust that is expected from me externally, and is 
enforced upon me, has to exist between me and my board, 
our business units and the partners in our network.” 

“That has led to some important choices,” you tell me. “We 
have devised a structure that ‘connects all the dots’ and 
enables end-to-end governance and transparency. So we have 
connected regulatory alignment, risk alignment and business 
alignment in one coherent and consistent approach. We have 
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Find the sweet spot 


Meaning is more than 
rules 


Meaning drives your 
business operating 
system 


closed the loop from strategy to execution, from proof to 
improvement, and turned it into a continuous loop.” 

You explain to me that this was enabled by focusing on the 
core of the governance, risk fit compliance process and finding 
the sweet spot. You have realized that you have to increase 
the meaning quotient of work (Cranston & Keller, January 
2013). So you have become what Gary Hamel calls an 
“entrepreneur of meaning” (Hamel, February 2009). 


Entrepreneur of meaning 

You have found that three simple words are crucial: meaning, 
decision and context. “Meaning,” you say, “is about the 
meaning of regulatory, policy and business requirements. It 
tells me ‘what’ I have to do ‘how,’ ‘why’ and ‘when’ in a 
specific situation. So, meaning is directly connected to the 
context of the situation at hand. Therefore ‘meaning’ is more 
than simple rules.” Decisions play a vital part in your end-to- 
end process from strategizing to execution and from 
monitoring to improving. You and your employees take 
decisions on a daily basis about aspects like a credit 
application, risk assessments, deal or no deal, based on the 
meaning of requirements in a specific context of a specific 
case. 

In your “future perfect,” you tell me, you have established an 
actionable framework in which the meaning of requirements is 
extracted in human and machine-readable form and stored as 
your source of truth. This source provides the fuel that drives 
your entire business operating system. It is directly infused 
into your operations and executes preventive controls to 
shield you from risks. It enables you to take automated 
decisions and provide decision support when and where 
needed. This shortens your cycle time and reduces the 
workload considerably. This source of truth enabled you to 
achieve the knowledge-based level of trust you enjoy from 
your regulatory authorities. 

You are keen to emphasize that you are talking about a 
conditional source of truth. It is an intelligence source that 
tells you what is true within a certain context that is specified 
in regulatory and policy documents. This regulatory and policy 
intelligence source feeds the decision process based on 
preconditions, and always in line with the objectives you have 
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Eliminate traditional 
workflow 


The exception is the 
rule 


Become truly customer¬ 
centric 


Compliant by design 


Actionable framework 


defined. The preconditions determine what kind of 
information is needed and which activities are allowed or 
required by whom at that moment in the process. Each new 
piece of information leads to an automatic assessment of what 
is now needed and allowed. 

By handling decisions this way, you have eliminated the 
traditional vision of workflow and processes, including all their 
limitations. Instead of designing consolidated flows that are 
believed to address the constraints of all parties involved, you 
have captured the individual constraints of all stakeholders, 
and the business processes meeting these constraints are 
automatically inferred. The result is flexible business 
processes that allow experts to shape their own work based on 
their experience and seamlessly adapt to the dynamic network 
they are performed in. (Grondelle & Rensen, 2013) 

Since all decisions are based on the meaning of requirements 
in the context of every case, you are able to treat every case 
as unique. There are no exceptions anymore, because you 
have made the exception the rule. 

On this basis, you were able to establish an advanced degree 
of self-service functionality. It turned out to be the missing 
stepping stone for your organization to become truly 
customer-centric. 

Since your framework records the decision data with a trace 
to the requirements on which they are based, you can always 
prove that you are compliant. You are “compliant by design”. 
This enables real-time monitoring and instant and 
consolidated reporting. It removes the burden of e-discovery 
in litigation cases and frees up time to focus on assessments 
for continuous improvement. 

Looking at my face, you see that is hard for me to understand 
what you mean, so you draw me an image of the framework 
that you envision in your “future perfect”. 

The image shows the process of reacting to external 
regulations by distilling the requirements, executing impact 
assessments, creating implementation scenarios, defining or 
mapping the new requirements to your strategy and 
objectives, deciding on the acceptable risk tolerance and 
“translating” the result into policies, controls, reports and 
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performance metrics. You even mention alerts and training as 
elements that can be defined in your framework. 


Figure 3: Your actionable governance, risk & compliance 
framework 



Source: Be Informed, Thei Geurts, 2013 
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Regulatory challenges 

Coping with regulatory challenges. Lifecycle management of regulations, objectives, risks, 
policies & controls. According to all standard and propriety frameworks (e.g. risk, legal, 
business, compliance), including party oversight. 


Semantic model 

Meaning based transposition of requirements, rights, obligations and constraints in a 
coherent and resilient model, enabling comprehensive 6t instant changes. Time-sensitive 
rules. 


Definition 

Executable output manifestations of the model based on one version of the truth. 
Supported by e.g. dynamic forms, wizards, checklists, workplace and services. 

Up to date documentation. 


Preventive controls 

Infusion of GRC-intelligence in the core process. Execution of prescriptive and 
preventive controls. Automated decisions. Dynamic activity plan and unified case view. 
Situation and role aware collaboration and actions, based on preconditions. Case records 
and audit trail. 


Review Et Evaluate 

Dynamic activity plan for monitoring, auditing, reporting. Comprehensive overview with 
link to regulations and policies on which decisions are based. Data integration, merging, 
access and retrieval. Notifications, dashboards, instant and consolidated reporting from 
multiple perspectives. Feedback and continuous improvement. 


Publish 8t Share 

Publishing and providing access to data and reports. Enabling real time oversight for all 
stake holders. Proof of ethic behavior, enhancing public trust. 


Then you draw my attention to what you call “the semantic 
sweet spot” of your framework. 
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Source of truth in a 
model 


Preventive executable 
compliance controls 


Dynamic activity plan 


Managing meaning 


The semantic sweet spot 

The semantic sweet spot contains your source of truth, in 
which all requirements are transposed into a man-and- 
machine-readable semantic model. “Semantic means 
meaning,” you explain to me. “It is not only our sweet spot, 
because it contains all the meaning, rules and conditions, but 
also because it has an embedded ability to ‘transform’ itself 
as a portal, a knowledge base, a wizard or as a service. It is 
directly executable in many forms. It is the catalyst of all our 
operations - the core differentiator that makes the ‘future 
perfect’ feasible,” you tell me. 

Figure 4: Managing meaning 

Semantic 
Sweet Spot 

Regulations 



Source: Be Informed, Thei Geurts, 2013 


Based on that sweet spot, you are able to infuse compliance 
rules into your process and execute preventive controls. You 
use automated decisions and decisions that are guided to a 
specialist based on the case and rules at hand. All your 
knowledge workers work together across their silos. 

They are supported by a dynamic activity plan that helps them 
to plan and perform their job within the guidelines and 
boundaries of your risk policy and procedures. All activities 
and decisions are recorded and can be used for monitoring and 
reporting. You can publish reports, provide access to your 
knowledge base, as you mentioned before, and share data and 
findings across the enterprise. 

You tell me that this approach has changed the mindset of 
your organization. “We are now more focused on managing 
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Risk-aware culture 


Become more profitable 


Sustainability 


Regulatory change in 
one day 


meaning, improving our performance and exploiting the 
possibilities that regulations offer. We now regard a regulatory 
change more as a business opportunity than as a threat.” 

Finally, you draw my attention to the behavioral aspect. “In 
the past, we had huge difficulties in terms of how to establish 
a risk-aware culture enterprise-wide,” you told me. “In my 
‘future perfect,’ it is always clear to everyone what they have 
to do and why. Tolerances are embedded in the decision 
process, and preventive controls reduce the temptation and 
even the possibility to diverge from our principles and 
policies. This reduces the risk of fraud and other prohibited 
forms of conduct.” 


Augmenting your GRC Intelligence position 

“If I try to grasp that picture of your ‘future perfect,’ it is 
evident to me that you have created a GRC intelligence 
position that offers extreme value. Since you have established 
a smart method of decision control, you must have eliminated 
all, or at least a large proportion of, your main cost drivers. 
You have probably also freed up capital because you can act 
reliably with lower risk thresholds. This means that you must 
have become more profitable.” 

“That is absolutely the case,” is your answer. “We were, for 
example, able to move a large portion of our assets from tier 
3 to tier 2 and from tier 2 to tier 1 and also cut our claim 
costs considerably. If accountancy or other intermediary 
organizations provide us with GRC as a service, we can simply 
infuse their regulatory intelligence into our process and 
become even more efficient. We have already thought about 
decision measurement and decision pricing as a new pricing 
mechanism.” 

“How about sustainability?”, I am tempted to ask. “How, for 
example, do you deal with regulatory change?” I can imagine 
that that question may make you smile. “Regulatory change is 
not an issue anymore,” you tell me. “We only have to change 
a regulatory requirement once and in one place to make it 
executable throughout the whole process. That is a 
consequence of establishing one version of the truth. 

“We can process a regulatory or policy change in a few days, 
and in hours, if needed, instead of months. Since we are able 
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Support multiple 
frameworks 


Enterprise-wide risk 
management 


to apply regulatory and policy requirements to all products, 
we can detect upfront potential overlap and conflicting 
requirements. Last but not least,” you add, “the cost of 
change has decreased dramatically.” 

You even draw my attention to the fact that your approach is 
able to support all legal frameworks, like Basel III and Dodd- 
Frank, and support all standard and propriety risk and control 
frameworks, not only in financial services, but also in other 
matters and domains, like safety, environment and health. 

“So it doesn’t matter if new regulations will be issued; we can 
handle them,” you say. “We can provide the same level of 
trust to our regulatory agencies and apply the same approach 
enterprise-wide. We even use the same approach for 
managing our third-party contracts to cover our whole supply 
and demand chain. 


Figure 5: Support for multiple frameworks 



Source: Be Informed, Thei Geurts, 2013 


“In essence, we have created a resilient system that is 
adaptive and agile at the same time, as well as highly 
actionable, collaborative and inherently transparent. It also 
provides all the dashboards we need, allowing the board and 
myself to execute our governance role and focus on the things 
that really matter for our business continuity. In addition, our 
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Predictable IT 


Engaged workforce 


risk manager finally has realized his vision of an enterprise¬ 
wide risk management system for all risk types, and is thus 
well equipped to deal with uncertainties. As a result, my legal 
and compliance officers can focus more on their advisory 
tasks, and internal audit can audit in real time instead of 
retrospectively and recommend remediation. External 
auditors and supervisors receive a full service, which reduces 
the burden on my operations and makes expenses negotiable.” 

“That’s quite impressive,” I reply. “How about your IT 
department? I noticed that you didn’t mention them.” “They 
are enthusiastic, too,” you respond. “Naturally, they were 
skeptical in the beginning and wanted proof. They are focused 
on remaining predictable, but also eager to support the 
business. Extracting meaning, context and decision-based 
elements from the code made this much easier for them. Now 
we have separate release cycles for regulatory, policy and IT- 
related changes.” 

My next question could be, “What about your employees 
below the management level? How did you facilitate their 
buy-in?” “That all relates to the trust-factor,” you answer. 

“We have managed to transform the vicious spiral into a 
virtuous spiral. Since we focus on the meaning, context and 
decisions, they have more autonomy to collaborate and decide 
within the constraints that are set for their role and 
competence level. The level of engagement is astonishing. 

Figure 6: The virtuous spiral _ 



More engagement 


Source: Be Informed, Thei Geurts, 2013 
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Transformation 


Doing it the organic way 


Business technology 


“As I said, the whole process is supported by a workplace and 
a dynamic activity plan that guides the execution of 
mandatory and optional tasks across all divisions and 
departments. This applies to all activities, like policy-making, 
impact assessment, defining controls, executing controls, 
monitoring, reporting, auditing, recommending or 
remediating. It is a layer above the organization that connects 
all activities without affecting the systems and responsibilities 
that are already in place. It offers freedom and control at the 
same time. We have broken the vicious spiral and have 
transformed it into a virtuous spiral.” 

Thinking about the impact of such a revolutionary approach, I 
wonder how you have transformed your organization to 
achieve that future position. Your answer would probably be, 
“How do you eat an elephant? Slice by slice. Once you have 
created your vision, the transformation starts. You have to 
follow an evolutionary approach to realize the business case of 
the whole process and the business cases of every part of it. 
Start with a solid foundation and expand from there in an 
incremental way. Lower your GRC burden in a controlled way 
that fits the maturity and capabilities of your organization.” 

Looking for a metaphor, you say, “Do it in an organic way, as 
if your organization is a living body. Grow step by step, 
explore with an open mind, accept small pains to achieve big 
gains and foster your self-healing capability. In other words, if 
events hurt you despite all precautions, be prepared and able 
to remediate and continuously improve. Utilize instruments 
and technology that inherently strengthen your organic 
capabilities. Don’t try to model the whole world, but focus on 
the essential. The less optimal solution often delivers the best 
cost-benefit ratio. Never forget that managing meaning is 
essentially managing the heartbeat of your organization.” 

That is your advice. 


What is holding you back? 

I wonder what is preventing you from realizing that “future 
perfect,” and you tell me that it is the lack of an enabling 
technology. You are fully aware that “business as usual” is no 
longer possible, since continuous change and uncertainty 
prevail. However, you are still looking for a technology that is 
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Face the pace of change 


Reporting 


Maintain risk-adjusted 
profitability 


non-invasive, that supports your process end to end, and is 
dedicated to business-centricity. 

Knowledge and experience should, in your opinion, be 
separated from the fundamental infrastructure required for 
processing, because they change more rapidly. Knowledge, 
know-how, expertise, best practices... “Call them what you 
like,” you say, are, in your opinion, fundamentals that need 
to be managed via an actionable framework by the business 
itself. 

Currently, though, you are still impaired by a situation in 
which your process execution knowledge is hidden in 
computer code or lives in isolation in user guides and 
spreadsheets. Data authenticity and integrity are hard to 
maintain, and you cannot stay up to date. 

You even tell me that in New York, the home of some of the 
largest financial institutions in the world, there are some 
14,000 proposed regulations that affect their global 
operations: rules that to a large extent are not (or cannot be) 
implemented across the financial enterprises. This is in full 
violation of not only U.S. regulations, but also global 
regulations such as Basel II St III and international regulations 
of the European Banking Authority. 

You are facing a similar problem. Even worse, the number of 
regulations is increasing, as is the speed of changes. Reporting 
cannot be based on approximation anymore, but must be 
based on detail in order to survive serious scrutiny. Reporting 
also has to meet strict deadlines that are in conflict with the 
data provisioning cycles of your IT systems. Your present 
reporting is mainly based on time-consuming hindsight 
analysis, and you are unable to reduce your reporting latency. 
As a consequence, you are reporting too late to the regulatory 
authority, which leads to further undermining of the level of 
trust, which is already low. 

Your board cannot fulfill its regulatory obligation for 
oversight. Not being compliant may result in high penalties 
and even prosecution, both for them and for you. You are 
struggling to maintain a risk-adjusted profitability. The cost of 
GRC implementation is high, and does not directly contribute 
to the primary business in terms of revenues and profit. 

Overall business performance is going down, which is why you 
want to tackle your compliance issues from a systemic 
perspective. 
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The 7P model 


You currently feel like a circus acrobat, balancing on a rope 
above the Grand Canyon without a safety harness or net. Your 
main concern is not falling down, instead of going forward and 
enchanting the public with your capabilities. 


You are showing me your 7P model, and explain to me that 
the essence of GRC can be expressed in seven concepts, 
starting with the letter P. 

Figure 7: The 7P model of governance, risk & compliance 



Source: Be Informed, Thei Geurts, 2013 


“The two open connectors symbolize the current fragile 
transfer and connection points between the preceding and 
next concept,” you explain to me. 

Then you create a list of the concerns that belong to every 
concept in the model. The list now offers a condensed - non- 
exhaustive - list of the concerns you are dealing with. 
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Figure 8: Your 7P model concerns 
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Prudence 

How to reinstall confidence? 

Society and Government lack trust and keep issuing regulations to force the exercise of 
prudence and enforce transparency. 

Provisioning 

How to get help to cope with the flood of new regulations & expectations? 

Provisioning services from external bodies and providers are fragmented and lack 
jtructural, syntactic and semantic interoperability. How to control cost? 

Policy 

How to address continuous regulatory pressure? 

How to assess risk and impact of new regulations and changed conditions? 

How to align business objectives & performance within the defined risk tolerance 
constraints? 

How to manage strategic and operational risk, promote ethical behavior and prevent 
fraud and other misconduct? 

How to develop, align, distribute, communicate and maintain directives, policies, 
procedures and controls and their lifecycle? 

How to provide meaningful insight from multiple perspectives? 

How to manage and impose contractual mandates? 

How to implement risk profiles with procedures, preventive and repressive controls in the 
business? How to keep them up to date? How to plan controls? 

Production 

How to align, execute and enforce controls across many products, systems and business 
lines? How to get a 360-degree view of the client case context? 

How to make risk-tolerance-aware decisions based on preventive controls? 

How to automate decisions? 

How to monitor and synchronize collaboration? How to treat every case fair? 


How to record, secure and access data? Transaction and interactions (arti)facts in many 
places, not linked to policy and controls. 

Proof 

How to monitor, control and assure compliance? 

How to move from sample based backward to continuous forward control? 

How to report in time from multiple perspectives, internal and external? 

How to collaborate with different parties and roles? 

How to provide liability and litigation proof from a dispersed landscape? 

How to identify and detect internal risk? 

How to mitigate risk? _ 

Performance 

How to prevent that the business operating system slows down and the business is 
underperforming? 

How to prevent that working capital is not available due to high risk reserves? 

How to concur technologic limitations and growing complexity? 

How to apply technology to optimize gradually and assure return on investment? 

Profit 

How to remain profitable and seize opportunities? Business as usual is cancelled; new 
market risks appear overnight and come from everywhere. 

How to cope with change dynamics? 

How to create trust from the regulatory authorities and prevent reputation damage? 


Source: Be Informed, Thei Geurts, 2013 


Our conversation unsurprisingly ends with a sigh that you 
really are looking forward to the moment when you can 
relieve the GRC burden and finally engage in a 
transformational journey to your “future perfect”. 
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A transformative 
technology 


Semantic computing 


Prescriptive solutions at 
the transaction level 


Transformation can start NOW 

If the readers conception of the GRC-future is similar to that 
of my imaginary conversation partner, then I have exiting 
news for you. 

Every twenty years or so, in IT, a new technology emerges 
that, by virtue of its exceptional ability, is able to address an 
entirely new class of customer problems. Such a technology 
transforms the way people work, improving productivity by 
providing non-linear improvements in performance. 

Now, for the first time, a new technology has emerged that 
breaks the bonds of the previous paradigm and allows pure 
semantic computing to emerge, putting the power of 
computing in the hands of domain experts, and facilitating a 
leap in productivity. But that’s not all! Concept computing 
shifts the paradigm of value from process and data to 
decisions and actionable computing: the next great value 
enabler in computer progress. 

The business technology that can leverage the ambition that is 
expressed in this publication is finally available. This proven, 
scalable and reliable technology is now being introduced into 
the commercial market. With a proven track record of high- 
performance governance. Be Informed’s Governance Risk & 
Compliance group is ready to bring this innovation to globally 
regulated industries. 

Be Informed stands alone in providing total prescriptive 
solutions at the transaction level. This means that at each 
stage of a transaction. Be Informed’s technology can monitor 
for compliance and risk at both the internal policy and 
government regulator level. Where regulations are well 
understood, this can provide productivity gains in the various 
role relationship layers within an enterprise. Where there is 
ambiguity, you can surface those ambiguities for management 
intervention and legal opinion. Furthermore, once established, 
the interpretation becomes part of the straight-through 
processing facility that streamlines the activity. 

What’s more, these decisions are recorded at the time of the 
transaction, and a real-time audit provides both management 
and regulators with an “in-time snapshot” reference as to why 
a transaction was deemed either compliant or non-compliant, 
and allows management to control the compliance risk. 
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Increasing STP by 99% 


From increasing pain to 
increasing gain 


The 7P model revised 


Be Informed’s GRC initiative comes from increasing 
experience in delivering applications that have yielded figures 
like improvements to orders of magnitude in change adoption 
(days instead of months), increases in straight-through 
processing (STP) as high as 99%, reductions in licensing costs 
for communication systems, and the replacement of 
infrastructure for a reduced footprint. 

The business case for risk-aware thinking and action can now 
finally be made with ease. The curve of increasing pain can be 
replaced by a curve of increasing gain. We have sketched the 
value proposition and value architecture. There is a 
transformation approach that fits every organization at the 
enterprise or network level. The enabling technology is now 
available. Last but not least, there are also strong economic 
and regulatory drivers for change. 


Connecting the dots 

If you take a look at the presented 7P model you will see that 
now all of my conversation partner’s 7P concerns can be 
addressed and provided with an answer. 

Figure 9: Connect the dots 



Source: Be Informed, Thei Geurts, 2013 
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Figure 10: Your 7P model answers 


o 

e 

o 


o 


e 


o 


o 


Prudence 

Create trust by providing timely and accurate information. 

Augment transparency by offering compliance proof services to regulators and enable real 
time regulatory oversight. 

Cooperate in certified self-control and meta-oversight constructs. 

Provide impact proof about the effect of new regulations. 

Provision 

Set standards and use a ‘comply or explain approach’ for external provisioning services. 
Engage in pre-competitive collaboration on standards, vocabularies and semantics. 

Engage in GRC as a Service initiatives and fuse them with your internal system. 

policy 

Create a GRC-intelligence position and enable ex-ante risk and impact assessment. 
Develop and simulate scenarios. Model the business in context and from a goal oriented 
perspective incl. the defined risk tolerance. 

Design for compliance. 

Create one version of the truth and make re-use the norm. Manage the policy lifecycle by 
collaboration and embedded role separation. Capitalize on brainpower. Create a 
knowledge base to provide insight and support training objectives. Define ethic principles 
and integrate them in the control and certification cycle. Treat contracts as regulatory 
mandates and apply the same standards to them. 

Make procedures and controls executable. 

Offer GRC as a service. 

Infuse context aware decision intelligence. 

Plan coherent control and report activities. Enable virtual organization and collaboration. 
Production 

Execute preventive controls (manual and automatic) based on the infused intelligence and 
dynamic decision support. 

Support collaboration, role separation and dynamic workflows. Apply monitoring rules, 
create alerts and offer integrated views. 

Apply mass customization. Treat every request as a unique case. Create an audit trail, 
record the decision context with the applied controls, their origin and used rationale. 

Manage all case related facts in a unified case dossier including their decision context. 
Apply strict security and retention rules for dossiers. Enable gathering and merging of 
data based on metadata. _ 

Proof 

Provide role based dashboards and alerts. 

Support continuous auditing, assessment and monitoring from multiple perspectives per 
case and cross-case. Generate reports based on reporting templates. 

Support role based collaboration for monitoring, reporting, analysis, recommendation 
and remediation. 

Use the case dossier for liability issues and smash cost of legal discovery. 

Offer access to the knowledge base and provide information services for regulatory 
oversight. 

Support ex-post impact and risk assessment and propose remediation. 

Performance 

Connect the dots and augment your GRC-capability. 

Lever your logic to achieve transparency, sustainability & accountability within a risk 
aligned business performance. 

Use a non-invasive business technology to support the business for various GRC- 
frameworks and to optimize invested capital in knowledge and systems. Use a robust 
platform. Apply a growing live approach. Start with removing a major bottleneck and 
optimize by re-use. Reduce legacy and cut compliance costs. 

Profit 

Result: You have built a GRC-intelligence position and created a high performance GRC- 
organization. This allows you to move more risks to tiers with lower financial thresholds, 
lower claim cost and free capital. You are compliant by design and can become a trusted 
partner of authorities. Your actionable GRC-capability and reputation grow by continuous 
improvement and engagement. New regulations offer new opportunities. 


Source: Be Informed, Thei Geurts, 2013 


All dots can be connected and the fragile transfer and 
connection points are replaced by antifragile connections. 
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We recommend transforming organically, starting by 
addressing the parts of the 7P model that constitute the 
largest burden, and employing your own preferred 
implementation scenario. 

The future has started 

High-performance 

GRC organization 

In this publication, we intended to prove that the “future 
perfect” that is presented can now be realized. Proven 
technology is available. Concept computing enables you to 
leverage the semantic sweet spot, install a regulatory 
capability, and realize real-time regulatory oversight. 
Interdependencies between frameworks can be surfaced, and 
topical regulations and policies can be executed in a coherent 
way. Risk management can be performed at a higher and more 
comprehensive level. New business opportunities arise. The 
board and all other stakeholders can look forward, and the 
whole enterprise can swing to the melody of continuous 
change. 

Enjoy the future 

Your transformation journey can start right now. The final 
result for you will be a GRC intelligence position and high- 
performance GRC organization. You are compliant by design 
and can become a trusted partner of authorities. Your 
actionable GRC capability and reputation grow through 
continuous improvement and engagement. New regulations 
offer new opportunities and, through a systemic approach, 
your compliance issues are solved and future issues are 
prevented. 
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About Be Informed 

Be Informed is an internationally operating, independent 
software vendor. The Be Informed business process platform 
transforms administrative processes. Thanks to Be Informed’s 
unique semantic technology and solutions, business 
applications can be made completely model-driven, enabling 
organizations to adjust immediately to new strategies and 
regulations. Organizations using Be Informed often report cost 
savings of tens of percents. Further benefits include a much 
higher straight-through processing rate, leading to vastly 
improved productivity and a reduction in time-to-change from 
months to days. 
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